global phishing survey: trends and domain name

8/14/2019 Global Phishing Survey: Trends and Domain Name

1/30

An APWG Industry Advisoryhttp://www.apwg.org [email protected]

PMB 246, 405 Waltham Street, Lexington MA USA 02421

1

Global Phishing Survey:

Trends and Domain

Name Use in 1H2009A

APWG

Industr

Advisor

Oc tober 2009

C o m m i t t e d t o Wi p i n g O u t

I n t e r n e t Sc a m s a n d Fr a u d


2/30

Global Phishing Survey : Trends and Domain Name Use 1H2009

Oc tob er 2009



2

Authors:

Rod Rasmussen

Internet Ident ity

Greg Aaron

Afilias

Table of Contents

Overview..3

Basic Sta tistic s.4

Preva lenc e of Phishing by Top-Leve l Dom ain (TLD)6

Compromised Domains vs. Malicious Registrations9

Ava lanc he At ta c ks.11

Phishing by Uptime.12

Use of Internationa lized Doma in Names (IDNs).16

Use of Sub doma ins fo r Phishing ..17

Impact of Specialized Providers on Phishing Uptimes..19

Conc lusions...20

Appendix...21

About the Authors & Acknowledgments.30

Disc laimer: The APWG a nd its c oo perat ing investiga tors, resea rc hers, and service

p roviders have provided this study a s a pub lic service, ba sed upon a gg reg ate d

p rofessiona l expe rienc e a nd pe rsona l opinion. We offer no wa rranty as to the

c omp leteness, ac curac y, or pe rtinence of these d ata and rec omm end ations with respe ct

to a ny pa rtic ular co mp anys op erations, or with respe c t to a ny pa rticular form of c riminal

a tta c k. Plea se see the APWG web site apwg.org- for mo re informat ion.
http://www.apwg.org/http://www.apwg.org/


3/30


Oc tob er 2009



3

Overview

The b a ttle aga inst p hishing is a seesaw c ontest. On o ne side a re the p hishers, loo king for

be tter wa ys to stea l mone y and Internet users pe rsona l da ta . On t he o ther side is an arrayof sec urity and softw a re p roviders, financ ial institutions, and other like-minded parties whofight ba c k with co unter-me asures of their own. While phishing rem ains a dang erousc riminal ac tivity involving g rea t losses of m oney a nd persona l da ta , the latest sta tistics a lsoshow tha t ph ishing ha s not inc rea sed by som e mea sures, and tha t som e a nti-phishingmea sures have ha d a be nefic ial imp ac t.

This rep ort attemp ts to und erstand the sc op e o f the g loba l phishing p rob lem, espec ially byexam ining d om a in na me usag e a nd phishing site up times. Spe c ific ally, this new rep ortexamines a ll the p hishing a tta c ks dete c ted in the first ha lf of 2009 (1H2009) -- betw ee nJanua ry 1, 2009 and June 30, 2009. The d at a w as c ollec ted by the APWG a ndsupp leme nted w ith da ta from seve ral phishing feed s and p rivate sources. The APWG

phishing repository is the Internet s mo st c om prehe nsive a rchive o f ph ishing a nd e-ma ilfraud ac tivity.1 Our data c onfirms new and ongo ing trends, and we hope that b ringingthem to light will lea d to imp roved anti-phishing m ea sures.

Our major findings include:

1. In 1H2009, the averag e up time o f all phishing a ttac ks wa s noticea bly shorter than in2H2008. This is an enc ourag ing imp rove me nt, mo st likely reflec ting e fforts byp rovid ers and respond ers.

2. The Ava lanc he phishing kit ac counted for a whop ping 24% of all phishing attac kslaunc hed in 1H2009. This c riminal op erat ion is one o f the mo st sop histica ted anddamaging on the Internet, and targets vulnerable or non-responsive registrars andregistries.

3. The g reat ma jority of phishing is also c onc entrated in certain namespac es -- justfive TLDs.

4. The amo unt of Internet dom ain na mes and numb ers used for phishing hasremained fairly stead y over the p ast two yea rs.

5. Anti-phishing programs imp lemented by d oma in name registries can reduc e theup-times of phishing attac ks, and c an reduc e the num ber of malicious reg istrations

made in those TLDs.6. The unique c harac teristics of Internationa lized Doma in Names (IDNs) are no t being

used to fac ilitate p hishing , and the re a re fac tors that m ay pe rpe tuate this trend inthe future.

7. Phishers continue to use subd om ain servic es to host and ma nag e their phishingsites. Phishers used suc h services mo re o ften than they reg istered dom ain nam es

via regular reg istrars. This trend shows phishers using services tha t c anno t b e takendow n b y dom ain reg istrars or reg istry operators.

1 This new rep ort is a fo llow -up to our ea rlier stud ies of d a ta stretc hing b ac k to Janua ry 2007. Theprevious stud ies are a va ilab le a t:2H2008: http :// ww w.apwg .org/ repo rts/ APWG_Glob alPhishingSurvey2H2008.pd f1H2008: http :// ww w.ap wg .org/ repo rts/ APWG_Glob alPhishingSurvey1H2008.pd f2007: http :// ww w.antiphishing.org/ repo rts/ APWG_Glob a lPhishingSurvey2007.pd f


4/30


Oc tob er 2009



4

Basic Statistic s

Millions of phishing URLs were reported in 1H2009, but the number of unique phishingatt ac ks and do ma in name s used to ho st them is muc h sma ller.1 The 1H2009 da ta set yields

the following statistics: There w ere a t lea st 55,698 phishing a ttac ks. An atta c k is de fined as a p hishing

site that targets a spe c ific b rand or entity. One d om ain nam e c an host seve rald isc rete a tta cks aga inst d ifferent b anks, for example. This is dow n insignific antlyfrom the 56,959 atta c ks rec orde d in 2H2008.

Those atta cks oc c urred on 30,131 unique d om ain nam es.2 This is barely dow n fromthe 30,454 ob served in 2H2008.

Of the 30,454 phishing dom a ins, we identified 4,382 that we be lieve w ere registeredby phishers. These ma licious do ma in reg istrations rep resented ab out 14.5% of the

dom ain nam es involved in phishing, dow n from 18.5% in 2H2008. Virtua lly a ll therest we re hac ked o r c om prom ised d om ains be longing to innoc ent site ow ners.

Phishing t ook plac e o n do ma in name s in 171 TLDs. How eve r, ma lic ious reg istrations

apparently took pla ce in just 57 TLDs. 86% of the 4,382 ma lic ious dom ainreg istrations were made in just 5 TLDs.

Only abo ut 3.6% of all do ma in name s that we re used for phishing c ontained abrand na me o r variation thereof. (See Co mp rom ised Dom a ins vs. Ma lic iousReg istrations below .)

In ad d ition, phish were de tec ted on 3,563unique IP ad dresses, ra ther than o ndom a in name s. (For example: http :// 96.56.84.42/C lientHelp / ssl/index.htm.) This isup from the 2,809 see n in 2H2008, and the 3,389 see n in 1H2008. Phishing on IPv6add resses was neg lig ible.

If unique d om ain na me s and unique IP ad dresses used for phishing a re a dde dtogether, the am ount of Internet nam es and num be rs used for phishing ha srem ained relatively steady for the p ast two-a nd-one-ha lf yea rs.

The unique c ha rac teristics of internat iona lized dom a in na me s (IDNs) are not b eing

used to fa c ilitat e p hishing, and there are fac tors that ma y pe rpe tuate this trend inthe future. Only 13 of the 30,131 dom ain nam es we stud ied w ere IDNs. See "Use o fInternationalized Doma in Name s below for more deta ils.

1 This is due to severa l fac tors: A) Som e phishing involves c ustomized a tta c ks by inc orpora ting uniquenum bers in the URLs, often to trac k targe ted vic tims, or to defe a t spam filters. A single p hishingat tac k can the refore ma nifest a s thousands of individual URLs, while lea ding to e ssentially onephishing site. Co unting a ll URLs wo uld therefo re inflate som e ph ishing camp aigns. O ur countingme thod de -dup lic ate s in orde r to c ount unique a ttac ks, and has rema ined c onsistent a c ross this andour previous repo rts. For an examp le of an a ppa rently different tallying metho d , see p age 4 at:http://apwg.org/reports/apwg_report_h1_2009.pdfB) Phishers often use o ne d om ain na me to ho st simultaneo us a ttac ks ag ainst d ifferent ta rget b rands.Som e p hishers are know n for plac ing four or mo re different phishing atta cks on ea c h do ma in name itregisters.C) A p hishing site may ha ve multiple p ag es, eac h of which ma y be rep orted.2Domain names are defined as second-level domain names, plus third-level domain names if thereleva nt reg istry offers third-level registrations. An exam ple is the .CN (China) reg istry, wh ich o ffersbo th sec ond -leve l reg istrations and third -leve l reg istrations (in zone s suc h a s c om .cn, g ov.c n, zj.c n,etc .). How eve r, see the Subdo ma ins Used fo r Phishing sec tion for c om me nta ry ab out how thesefigures ma y und erco unt the phishing a c tivity in a TLD.


5/30


Oc tob er 2009



5

Basic Statistic s:

1H2009 2H2008 1H2008 2H2007

Phishing dom ain names 30,131 30,454 26,678 28,818

IP-based phish (uniqueIPs)

3,563 2,809 3,389 5,217

TLDs in phish URLs 171 170 155 145

Attacks >55,698 >56,969 >47,342

Maliciously registered

domains

4,382 5,591

IDN dom ains 13 10 52 10

Eac h do ma in nam e s reg istra r of rec ord wa s often no t rep orted a t the time o f the phish. Inmo st registries, a dom ain na me c an have multip le lifetimes as the na me is reg istered, isdelete d o r exp ires, and is then reg istered a new . Ob ta ining a c c urate registrar sponsorshipda ta for a dom ain name requires either time -of-atta c k WHOIS da ta , or historica l reg istry-level da ta . This data has not been co llec ted in a c om prehensive ma nner by the anti-phishing c om munity. Reg istrar-spec ific sta tistics and trends a re c ertainly of interest, anda re a n op portunity for future stud ies.


6/30


Oc tob er 2009



6

Prevalenc e of Phishing by Top-Leve l Domain (TLD)

We ana lyzed the 30,131 phishing d om ains to see how ma ny fell into which TLDs. Thec om plete tab les are presented in the Ap pe ndix.

To plac e the numb ers in c onte xt a nd me asure the p reva lence of p hishing in a TLD, we usethe me tric s Phishing Do ma ins per 10,000 and Phishing Atta c ks per 10,000. PhishingDoma ins per 10,000 1 is a ra tio of the num ber of dom ain nam es used for phishing in a TLDto the numb er of registe red dom a in nam es in that TLD. This me tric is a wa y of revea lingwhether a TLD has a highe r or low er inc idenc e o f ph ishing relative to others.

In 1H2009, phishing occ urred on domain names in 171 TLDs. Of those reg istries, we w ereab le to o b ta in the d om ain co unt sta tistics for 136. Those 136 TLDs c ont a ined 99% of thephishing d om ains in our da ta set (29,884 out o f the 30,131), and a tot a l of 184,233,568domain names overall. 2

The c om plete ta b les are presented in the Ap pend ix, including the sc ores and the numbe r

of phish in eac h TLD. The media n score was 2.9, up slightly from 2.7 in 2H2008 and 2.3 in 1H2008. The a verag e score was 6.9, which w as skewed by a few high-scoring TLDs. .COM, the w orlds largest and mo st ubiq uitous TLD, had a score o f 1.8. .COM

c ont a ins 50% of the p hishing d om ains in our da ta set , and 45% of the dom ains inthe TLDs for which w e have dom ains-in-reg istry sta tistic s.

1 Sc ore = (p hishing dom ains / dom ains in TLD) x 10,0002 For the p urposes of this study, we used the numb er of d om ain na me s in each registry as of the endof M arch 2009. Sourc es: ICANN.org (mo nthly registry rep orts), cc TLD reg istry op era tors.


7/30


Oc tob er 2009



7

We therefore sugg est that sc ores be twee n .COMs 1.8 and the m ed ian of 2.9 occ upy the

mid dle ground , with scores ab ove 2.9 indicating TLDs with increa singly p revalent phishing.

The me tric Phishing Atta c ks per 10,000 is another useful m ea sure o f the pervasiveness ofphishing in a name space. It espec ially highligh ts wha t TLDs are p red om inantly used byphishers who use subdom a in services, and where high-vo lume p hishers p lac e m ultip lephish on o ne d om ain.

Note s reg a rd ing the sta tistics: A sma ll numb er of phish c an inc rea se a sma ll TLDs score signific antly, and these

push up the stud y s med ian sc ore. The la rger the TLD, the less a p hish influenc es itssc ore, and the largest TLDs tend to a ppea r lowe r in the rankings.

A registrys sc ore c an be inc rea sed by the a c tion of just one busy phisher, or onevulnerab le or ina ttentive registrar.

For more b ac kground on fa c tors that can a ffect a TLDs score, please see Fac torsAffe c ting Phishing Sc ores in our ea rlier stud ies.

Elimina ting TLDs tha t ha d less tha n 30,000 dom a ins und er manage me nt o r less tha n 25phishing d om ains yields the fo llow ing:

Top 15 Phishing TLDs by Score

Minimum 25 phishing d om ains and 30,000 doma in nam es in reg istry

Rank TLD

TLD

Location

UniqueDomainNames

used forphishing

1H2009

Domainsin

registryat endMarch

2009

Score:Phish

per10,000

domains

1H20091 pe Peru 64 32,000 20.0

2 th Thailand 68 42,594 16.0

3 bz Belize 29 43,113 6.7

4 be Belgium 484 892,267 5.4

5 ro Romania 163 310,900 5.2

6 tw Taiwan 194 425,551 4.6

7 kr Korea 399 999,262 4.0

7 cl Chile 97 243,701 4.0

9 ie Ireland 48 122,374 3.9

10 my Malaysia 31 80,949 3.8

11 suSovietUnion 30 83,739 3.6

11 vn Vietnam 36 100,979 3.6

13 ruRussianFed. 710 2,016,396 3.5

14 il Israel 48 145,151 3.3

15 mx Mexico 93 290,101 3.2


8/30


Oc tob er 2009



8

The generic TLDs (gTLDs) are op en t o reg istrants ac ross the world without reg istrat ionqua lifica tions, while sponsored TLDs (sTLDs) ha ve eligib ility requirem ents:

Phishing in gTLDs and sTLDs by ScoreMinimum 30,000 domain names in registry

Rank TLD

# UniquePhishingattacks1H2009

UniqueDomainNames

used forphishing1H2009

Domains inregistry atend March

2009

Score:Phish per

10,000domains1H2009

1 org 2,554 1,691 7,549,754 2.2

2 net 5,423 2,570 12,525,459 2.1

3 name 134 53 278,516 1.9

4 com 25,994 15,170 82,229,830 1.8

5 biz 395 225 2,075,159 1.1

6 mobi 206 87 847,332 1.0

7 info 600 493 5,390,206 0.9

8 asia 2 2 248,407 0.1

9 pro 1 1 35,694 0.3

10 travel 0 0 133,051 0.0

11 tel 0 0 129,562 0.0

If mea sured by Attac k Sc ore, c erta in TLDs va ult into higher rankings:Top 15 Phishing TLDs by Attack Score

Minimum 50 phishing a tta cks and 30,000 doma in na me s in reg istry

Rank TLD TLD Location


UniqueDomainNames


Domainsin registry

at endMarch2009

Score:Phish per

10,000domains1H2009

Score:Attacks

per 10,000domains1H2009

1 th Thailand 128 68 42,594 16.0 30.1

2 pe Peru 86 64 32,000 20.0 26.9

3 be Belgium 1,813 484 892,267 5.4 20.3

4 bz Belize 81 29 43,113 6.7 18.8

5 li Liechtenstein 93 18 59,244 3.0 15.7

6 su Soviet Union 125 30 83,739 3.6 14.9

7 eu European Union 3,869 864 3,043,070 2.8 12.7

8 ru Russian Fed. 1,982 710 2,016,396 3.5 9.8

9 ro Romania 278 163 310,900 5.2 8.9

9 fr France 1,214 340 1,367,333 2.5 8.911 kr Korea 751 399 999,262 4.0 7.5

12 mx Mexico 213 93 290,101 3.2 7.3

13 sk Slovakia 132 46 184,943 2.5 7.1

14 tw Taiwan 290 194 425,551 4.6 6.8

15 cl Chile 144 97 243,701 4.0 5.9


9/30


Oc tob er 2009



9

.FR and .RU c ont inue to rec eive high Atta c k Scores bec ause p hishers launc hed largenum bers of a tta cks in these TLDs via sub dom a in hosting services. (For more, see Use o fSubdom a ins for Phishing, b elow .) Atta c k Sc ore is therefo re a useful measure of thepervasiveness of phishing in a namespace.

High- sc oring TLDs alm ost invariab ly suffered from system atic exp loitation by phishers.These c ases highlight how vulnerab ilities c an lead to signific ant p roblem s. Examples a re:

.EU and .BE: The Ava lanc he phishing g ang reg iste red large numbers of .EU and.BE dom ains, and this is reflec ted in those TLDs' eleva ted Atta c k Sc ores. Ava lanc hebeg an a ttac ks in Dec em be r 2008 and ramp ed up significantly in ea rly 2009, quic klybec om ing the mo st prolific and da nge rous ph ishing op eration on the Internet. Thisgroup uses infrastructu re a nd method s very simila r to the p revious "Roc k" gang , andadded fast-flux hosting to susta in its a tta c ks.

.TH (Tha iland ): Phishing here ta kes p lac e ent irely on com promised Web sites in theAC.TH (ac adem ic) zone a nd the G O.TH (gove rnme nt) zone , and ha s beenoc c urring reg ula rly for two yea rs. Although the numb er of atta cks dec rea sed from

2H2008 throug h 1H2009, phishers cont inued to have ac cess into unsec ureinstitut iona l serve rs in Tha iland .

.SU (Soviet Union) a nd .RU (Russia). .SU and .RU rem a in high in the rankings due tophishing a t subdom a in resellers (see m ore be low). On ly one ma lic ious phishingregistration w as ma de in .SU in 1H2009, a not ab le red uc tion from the 55 ma de in2H2008. .SU is nota ble b ec ause it wa s to have been p hased out yea rs ag o, afte rthe d issolution of the Sov iet Union. How eve r it ha s not b ee n rem ove d from the DNSroo t, and the reg istry operator has built new reg istrations.

Compromised Domains vs. Malicious Registrations

We performed an ana lysis of how m any dom a in na me s we re reg istered by ph ishers, versusphish that ap pea red on c om promised (hac ked) dom a ins. These d ifferent c ate go ries areimpo rtant b ec ause t hey p resent d ifferent mitiga tion op tions for respo nde rs, and offerinsights into how phishers c om mit the ir c rimes. We flagg ed a dom a in as ma lic ious if it wa srep orted for phishing w ithin a very short time o f be ing reg istered (this is an indica to r tha tthe w eb server was not c omp romised ), and / or conta ined a brand nam e o r mislea dingstring, and / or was reg istered in a ba tch or in a p atte rn that indica ted c om mo n ownershipor intent. There are som e d om ains ab ove a nd b eyond the 4,382 we we re not highlyc onfident a bo ut c lassifying a s ma lic ious, and so w e left them out o f the c ount.

Of the 30,131 phishing dom ains, we identified 4,382 that we b elieve w ere registered by

phishers. These m alic ious o r evil d om ains represent about 14.5% of the dom ain nam esinvo lved in phishing. This is down from 5,591 dom ains (18.5%) in 2H2009. A stag ge ring 43%

of these m aliciously registered doma ins (2,309) were Ava lanc he a ttac k d om ains, whichwe examine in more de tail be low .

86% of the 4,382 ma lic ious dom ain reg istrations we re m ad e in just 5 TLDs -- .COM, .EU, .NET,

.BE, and .ORG. (See the Appe nd ix for brea kdow ns.) By this measure, ph ishing is highlyconc entrated in just a few namespac es.


10/30


Oc tob er 2009



10

Malicious Phishing Registrations by VolumeMinimum 30,000 domain names in registry

Rank TLD

MaliciousDomainNames


UniqueDomainNames


Domains in

registry atend March

2009

Score:MaliciousDomains

per 10,000domains1H2009

1 be 293 484 892,267 3.28

2 eu 662 864 3,043,070 2.18

3 net 438 2,570 12,525,459 0.35

4 org 207 1,691 7,549,754 0.27

5 com 2,180 15,170 82,229,830 0.27

The rema ining 85.5% of the d om ains used for phishing we re com promised or hac ked

domains. Phishing most often takes p lac e on com prom ised Web servers, where thephishers p lac e the ir phishing p ages unb eknownst to the site op erators. This method ga ins

the p hishers free hosting and c om plic ate s take-do wn efforts bec ause suspe nding adom a in nam e or hosting a c c ount also d isab les the resolution of the legitima te users site.Phishing on a c om promised Web site typica lly takes plac e o n a subd om ain or in asubd irec tory, whe re the phish is not ea sily no tice d by the site s op erator or visitors.1 Lessthan 1% of the dom ains used for phishing were d om a ins op erated by subd om ain resellersand sites that offer Web site hosting (such as ISPs, geocities.com, etc.).

Of the ma liciously registered doma ins, 1,098 contained a relevant brand nam e, variation,

or m isspe lling thereo f.2 This represents 25% of ma lic iously reg istered do ma ins, and just

3.6% of all dom ains that were used for phishing. Plac ing b rand nam es or variations thereofin the d om a in nam e itself is not a favo red tac tic, sinc e b rand ow ners a re p roa c tivelysc anning Internet zone files for suc h na me s. Mo st ma lic iously reg iste red do ma ins we rerando m strings suc h a s h1jh1.eu, which offered nothing to c onfuse a potent ia l vic tim.

Instea d, phishers a lmost a lways p lac e b rand na me s in subdom ains or subd irec tories. Thisputs the m isleading string som ew here in the URL, where p otent ial vic tims may see it and befooled. Internet users are rarely know led geab le enough to be ab le to pick out the ba se ortrue dom ain na me be ing used in a URL. Of the ma licious reg istra tions, a significa nt num be rconta ined ne ither a b rand nam e, nor any other induc ement. As we ha ve ob served in thepast, the doma in name itself usually do es not ma tter to phishers, and a hac ked doma inname of any meaning, in any TLD, will usually d o. Ma lic ious dom ain name reg istrat ions dorema in a da ma ging p art of the c urrent p hishing p rob lem, since they a re used by the mostprolific phishing g angs, which use them to harbor multip le phishing a ttacks.

TLDs tha t were hea vily abused by ma lic ious registrat ions in the p astsuc h as .HK and .VE

ha d no ta b ly high ph ishing scores in our p revious surveys. Those reg istries imp lementedbetter programs to p revent and respo nd to such atta cks, and enjoy muc h be tter sc oresnow. In fac t, .HK and .VE ea c h had only one m a lic ious reg istration in 1H2009. CNNIC's

1 A sep arate A PWG rep ort cov ering 1H2009 found tha t d ep end ing o n the mo nth, one-third to two-thirds of p hishing URLs c onta in som e fo rm of ta rget nam e:http://apwg.org/reports/apwg_report_h1_2009.pdf2Examp les of d oma in names we c ounted as conta ining b rand nam es inc lude d: urvh-payspa ll.c om,ab bey-rea de ma il.com, fac eb oo k-bonus-chips.tk, mailb0x-reg i0ns.com, we llsfargo -online.us,mynetvisa.com.


11/30


Oc tob er 2009



11

anti-phishing program 1 bore results in 1H2009 also. Ma lic ious reg istrat ions in .CNp lumm eted from 499 in 2H2008 to 115 in 1H2009.

Avalanche Attacks

Ava lanche sites are the latest in m ass-production phishing a nd ma lware d istribution

techniques. Phishing sites on Ava lanche d om ains ta rge t the com me rc ial ba nkingp latfo rms of m ore tha n 30 financ ial institutions, ma jor on-line service s, and job sea rchproviders. Soc ial-eng ineered ma lware d ow nload s are a lso b eing d istributed from thesesame dom ains. These a tta c ks involve dom a in names reg istered by the p hishers, set up onname servers c ontrolled by the phishers, and hosted on a fast-flux netw ork of app a rentlyc om primised consumer-leve l ma chines. This fast-flux hosting m akes mitiga tion e fforts mo red ifficult -- c a lling the Internet Service Provider to g et a site or IP b loc ked is not effec tive,and the d om a in name itself must be suspend ed a t the reg istrar or reg istry level.

The Avalanc he p hishing kit ac counted for a whop ping 24% (13,334) of all phishing a ttac ks

seen during 1H 2009. However, since each doma in is used to mo unt up to 30 attacks, thisonly represents about 8% of all d om ains used for phishing. These la rge num bers of simila ratta c ks c an ha ve a drama tic affec t on p hishing up time bo th overall (nea rly a qua rter ofa ll phish) and for any ta rge ted TLD (be low).

An Avalanc he atta ck c am pa ign c onsists of ma ny dom ain name s that a pp ea r almostidentical to each other (such as 11fjfhi.com, 11fjfhj.com, 11fjfh1.com, and 11fjfhl.com).These d om ain na me group ings are therefore distinctive and rec og nizab le to tho se w hoa re looking for them. While only one o r two brand s a re typically spa mm ed at a ny one timeduring an Ava lanc he a ttac k, the misc rea nts rota te bac k to olde r ta rge ts freq uently. If anAvalanc he d om ain rema ins ac tive ove r a long p eriod of time, spa m for other targets ma ybe sent using it.

When setting up an atta c k, the Ava lanc he reg isters dom a ins at one to three reg istrars orresellers. They a lso ta rge t a small num ber of o the r reg istrars, testing to see if the reg istrarnot ices the reg istrations. If one reg istrar sta rts to quickly suspend the dom ains orimplements othe r sec urity p roc ed ures, Avalanc he simply mo ves on to othe r vulnerab lereg istrars. The p hishers a lso em ploy ad d itiona l tric ks. For one ba tc h of do ma inregistrations, they chose a registrar located in a small country, and used credit cardnumb er stolen from c onsume rs in that c ountry in an a ttem pt t o a void not ic e.

Ava lanc he d oe s the same w ith top -leve l doma ins, reg iste ring in TLDs where the reg istryop erato r may not be an ac tive o r effective p artic ipa nt in mitiga tion e fforts.

Ava lanc he a ttacks increa sed signific antly into the third qua rter of the year, and preliminary

num be rs indica te a possible doub ling o f atta cks in the summe r of 2009. Our next rep ort willexamine the da ta in deta il.

For more ab out Ava lanche a nd the effic ac y of its a ttac ks, c ontinue to Phishing byUptime, b elow.

1 In July 2008, an a llianc e o f Chinese o nline c om merce stakeholde rs, inc luding CNNIC a nd seve ralChinese b anks, founde d the A nti-Phishing Allianc e o f China (APAC) in order to ta c kle p hishing tha tab uses .CN sub -dom ain na mes, with CNNIC func tioning as the sec retariat of APAC.


12/30


Oc tob er 2009



12

Phishing By Uptime

In 1H2009, the a verag e up time o f phishing a ttacks was notice ab ly shorter than in 2H2008.This is a significant event. Up times a re a vita l me asure of how d ama g ing ph ishing a tta c ks

a re, and are a me asure o f the suc cess of m itiga tion e fforts. The long er a p hishing a ttac krem ains ac tive, the mo re mo ney the victims and ta rge t institutions lose, and the m oremo ney the phisher ca n make. A top -ten Ame rica n b ank estimate s tha t a t least US$300 islost fo r every hour tha t a phishing site rema ins up . 1

Phishers therefo re strive for ma ximum up time, and m ake cho ice s acc ording ly. Phishersp refe r vulnerab le or inattent ive reg istrars and reg istries, and the most sop histica ted phishersuse fa st-flux hosting in an a ttemp t to e xtend up times. (Phish hosted on fa st-flux networksoften stay up a bo ut twice as long as those on c onventional hosting.) Long -lived p hish canskew the averag es c onsiderab ly, as som e p hishing sites ma y last wee ks or even months.Thus me d ians ma y be a useful ba rom ete r of overall mitiga tion effo rts.

In 1H2009, Internet Identity mo nitored the uptime s or live times of the phishing a ttac ksin the d ata set.2 For the 55,698 attacks in 1H2009, the average uptime was 39 hours, with ame dia n of 13 hours and 15 minutes. The averag e was down significa ntly from 2H2008's

averag e of 52 hours, and the m ed ian d ropp ed also, from 14 hours and 43 minutes in

2H2008.

The ma jor differenc e was the Avalanc he attac ks, whic h tended to attrac t a great de al of

attention. Putting the Ava lanc he a ttac ks aside, there was still a m ode st improvem ent over

2H2008. Without Ava lanc he a ttac ks c ounted , 1H2009s average up time was 45 hours and

36 minutes, and the media n wa s 14 hours and 3 minutes. This is an e nc ourag ing

improvement.

1

This estimate po sits tha t the averag e loss from a stolen b ank ac c ess c redential (either onlineacc ount a cc ess, a d eb it ca rd, or cred it ca rd) is US$400, and tha t the p hisher stea ls two suc h va lidc redentials every three hours. This impac t genera lly ho lds throug hout the first 72 hours of p hishing siteupt ime, and d rops off thereafte r. Note tha t these ma y be c onservative estimate s since the ymeasure only a re bo ttom -line losses, and do no t fac tor in soft c osts like c ustom er suppo rt ca lls,unseen losses through untrac ked c hannels, or the imp ac t of ID theft up on the c ustom er.2The system used to trac k the up times auto ma tica lly mo nitored the p hishing sites, and mo nitoringbe ga n a s soon as the system be ca me aw are o f a phish via feed s or honeypo ts. Eac h p hish wa sc hec ked several times per hour to c onfirm its ava ilab ility, and wa s not d ec lared do wn until it hasstaye d do wn fo r at least one ho ur. (This requirem ent w as used be c ause som e p hish, espe c ially thosehosted on b otne ts, ma y not resolve on every attemp t but in general rem ain live.) This estimate tend sto und er-count the real up time of a p hishing site, since m ore than 10% of sites re-ac tivate afte rone ho ur of be ing do wn. However, our method is a c onsistent me asure that allows direc tc om pa rison a c ross incide nts and should b e fa ir for relative c om pa risons.


13/30



13

The up time s for all ph ishing a tta c ks in 1H2009, and for phish in large TLDs, we re as follow s:

Upt im es by TLD ( HH:MM:SS)

ALL PHISH Average Median

Jan 41:57:27 12:51:49

Feb 38:17:27 13:49:33Mar 36:00:14 13:25:08

Apr 40:42:42 11:35:26May 37:50:11 13:31:39June 40:01:22 12:08:19

1H2009 39:11:03 13:15:32

AVALANCHE Average Median

Jan 13:30:02 12:02:55

Feb 15:23:51 12:26:21

Mar 31:10:42 15:15:30Apr 20:54:11 12:57:43

May 39:32:07 12:41:00June 12:03:03 8:49:22

1H2009 18:45:44 12:23:43

Our theo ry is tha t ma lic ious reg istrations a re a ttrac ting m ore mitiga tion e fforts for thefollowing reasons:

a) Respo nde rs are highly aware of them espe c ially the Avalanc he d om ains. And ,b) These d om a ins a re ofte n reg iste red using sto len c red it ca rds. Reg istrars usua lly

c anc el fraudulently reg istered dom ains quickly. In most TLDs, a d om ain c anc elled w ithin 5days of reg istration imm ed iate ly exits the zone and stops resolving.

The a verage up times of Ava lanche a ttac ks we re signific antly low er than the norm, and theme d ian wa s slightly low er than the norm, too:

Ava lanc he d om ains are hosted on fa st-flux networks, which a re d esigned to e xtend theup times of phish by ma king m itiga tion mo re d ifficult. But the up times numbers sugge st tha tresponders may be neutralizing the efficacy of Avalanches fast-flux hosting.

In any c ase, the numb ers show how Ava lanc he ac tivity is a d om inant fac tor, and how the

typeof p hishing is a fac tor to be c onsidered w hen examining up times.


14/30


Oc tob er 2009



14

.COM Average Median .NET Average Median

Jan 55:30:32 12:44:47 Jan 28:38:27 10:29:01

Feb 48:33:56 13:11:22 Feb 42:06:52 15:39:22

Mar 36:23:57 13:42:49 Mar 32:42:03 10:37:42

Apr 46:22:38 11:49:19 Apr 39:25:33 9:45:48May 39:32:07 12:41:00 May 29:47:41 11:04:38

June 42:27:14 13:01:30 June 23:06:50 12:26:32

1H2009 44:09:56 12:57:01 1H2009 29:45:58 11:25:24

.ORG Average Median .BIZ Average Median

Jan 37:11:21 13:30:06 Jan 20:46:51 5:34:57

Feb 24:32:43 13:07:59 Feb 35:35:54 13:55:20

Mar 20:50:39 8:20:41 Mar 27:32:42 9:39:49

Apr 22:13:11 4:15:53 Apr 30:14:59 14:24:42

May 22:10:39 6:45:57 May 36:34:38 12:13:32

June 42:33:44 15:57:10 June 31:34:13 14:12:20

1H2009 27:54:08 8:55:25 1H2009 29:17:03 10:16:41

.INFO Average Median .UK Average Median

Jan 21:10:44 11:34:41 Jan 33:11:28 14:06:06

Feb 22:58:58 11:29:37 Feb 40:07:42 15:37:05

Mar 25:00:35 7:10:07 Mar 45:55:12 9:55:30

Apr 33:20:24 11:34:28 Apr 53:02:30 7:54:31

May 28:06:36 28:06:36 May 50:18:40 18:29:57

June 20:53:40 13:02:51 June 53:42:20 21:07:56

1H2009 25:10:24 11:23:52 1H2009 45:23:09 14:10:28

.EU Average Median .BE Average Median

Jan 17:07:20 12:42:52 Jan 12:48:28 11:22:38

Feb 16:20:22 13:27:50 Feb 22:51:20 15:03:58

Mar 37:36:14 13:19:43 Mar 16:50:58 12:26:13

Apr 18:51:01 11:36:37 Apr 18:54:20 11:44:09

May 29:15:30 12:57:05 May 42:10:47 24:33:11

June 35:40:11 13:14:45 June 24:08:57 11:45:10

1H2009 23:31:14 13:16:01 1H2009 16:51:28 12:06:43

.RU Average Median .CN Average Median

Jan 34:24:01 17:31:07 Jan 84:02:07 57:37:18

Feb 31:20:04 17:35:20 Feb 42:36:42 20:16:48

Mar 45:47:26 20:07:20 Mar 35:45:22 19:38:15Apr 41:22:40 15:56:38 Apr 153:32:09 60:16:29

May 32:59:09 22:08:10 May 34:14:18 24:09:36

June 53:37:19 27:44:44 June 34:14:18 24:09:36

1H2009 39:46:08 19:33:42 Total 67:15:34 30:02:27

The a verag e up time s in gTLDs were:


15/30


Oc tob er 2009



15

The a verage up times in som e m ajor cc TLDs we re:

TLDs with la rge percenta ge s of malicious reg istrations ha d low er-tha n-ave rage up times.Exam ples inc lude .EU (662 out o f its 864 phishing dom a ins were ma lic ious), .BE (293 ou t o f484), .NAME (44 out of 53), and .MOBI (62 out of 87).

A suc c ess story in 1H2009 was the new anti-phishing p rogram put into p lac e b y The PublicInte rest Reg istry (PIR), the o pera to r of the .ORG TLD. .ORG ha d a ve rage phishing up time s


16/30


Oc tob er 2009



16

in 2H2008 and Janua ry 2009. Sta ting a desire fo r abuse response a nd heightened userp rote c tion, PIR announc ed a new anti-abuse p olicy to its registrars in late 2008, and it wentinto e ffec t on Feb rua ry 5, 2009.1 On that da y, PIR be ga n a c tively rep orting phish to itsreg istrars, helping the m to a lert the ir reg istrants about c om prom ised phishing d om a ins. PIRa lso reserved the op tion to suspend ma lic iously registe red phishing d om ains, and d idoc c asional outrea c h to the ho sting providers of hacked p hishing do ma ins.2 The impac twa s dram atic -- .ORG s phishing uptimes immed iat ely dropp ed by a third.

In Ma rc h throug h Ma y, PIR also respo nde d to the Ava lanche g ang by q uic kly suspe ndingmalic iously reg istered .ORG d om ains, ofte n within minutes of the ir ac tivation. In mid-Ma ythe Ava lanc he gang stop pe d registering .ORG d om a ins, and c onc entrated on registeringin othe r TLDs instead . By June, .ORG w as left w ith mo stly ph ishing o n c om promiseddom a ins, which a re ha rder to mitiga te . .INFO and .BIZ c ont inued their anti-phishingprograms and rec orded low er-than-averag e up times, and Avalanc he a lmost c omp letelyavo ide d the se TLDs.

Othe r ma jor reg istry op erators with a c tive a nti-phishing p rog ram s pe rformed we ll byva rious mea sures.

.CN, .ORG, .INFO, and .BIZ now fac e m ostly phishing o n c om prom ised dom ains, which a remo re d ifficult to fight. Howe ver, these TLDs a re still turning in lowe r-than-a verag e up times.The results show a c orrelat ion betw ee n lowe r phishing up times and p roa c tive effo rts byreg istry op erato rs and the reg istrars they work with.

Use of Internationa lized Dom ain Names (IDNs)

An a rea of g row ing interest on the Inte rnet is Inte rna tiona lized Dom ain Names, or IDNs.And the re ha s bee n inte rest in how IDNs might ena b le phishing. Data show s tha t theunique c harac teristics of IDNs are no t being used to fac ilitate p hishing a t this time. We thinkthat the re a re fac tors that m ay pe rpe tuate this trend in the future.

IDNs a re do ma in names that c onta in one o r more non-ASCII c harac ters. Suc h d om ainname s c an conta in lette rs with d iac ritica l ma rks such a s and , or c harac ters from non-Lat insc rip ts suc h as Arab ic , Chinese, Cyrillic , or Hind i. Over the p ast four yea rs, IDNs have b ee navailable a t the sec ond and third levels in many d om ain name reg istries, with the ma jorityregistered in Asia.

The IDN hom og rap h atta c k is a m ea ns by which a ma lic ious pa rty ma y seek to deceivec om pute r users by e xp loiting the fac t that c ha rac ters in different lang uag e sc ripts ma y benea rly (or wholly) indistinguishab le. One suc h spoo f was the reg istration of a d om a in tha tapp ea red in the browser ad d ress ba r as:

http://www.p ypal.com/

How eve r, the first ASCII "a " wa s rep lac ed by the virtua lly ide ntica l-looking Cyrillic "a",tec hnica lly ma king it different d oma in nam e c omp letely.

Are suc h tricks being used by phishers? From Janua ry 1, 2007 to June 30, 2009 only 85 IDNswere used for phishing. The ma jority were .HK dom ain name s apparent ly used by the Roc kPhish ga ng e arly in 2008. Tha t batc h p resented as Chinese c ha rac ters intermixed with latin

1 http:// ww w.pir.org/ inde x.php?d b=c ontent/ Website&tb l=Ab out_Us&id=142 PIR received assistance from Internet Identity and Afilias.


17/30


Oc tob er 2009



17

c haracte rs and were evidently not homo graphic a ttac ks. (And they targeted Westernbanks and non-Chinese c onsume rs.) Exc ep t for one, the rest app ea r to b ec om promised / hac ked IDN dom ains ow ned by innocent pa rties.

The one t rue hom og rap h atta ck we we re a ble to identify app ea red on Janua ry 16, 2009.The d oma in nam e w as:

xn--hotmal-t9a.net

When it is rend ered in a b row ser add ress bar, this IDN looks like th is, with a dec ep tivec haracte r spo ofing the lowe r-c ase i :

hotma l.net

The phish ap pea red on the home p ag e of the d om a in, and ta rge ted users of Microsoft'sHotma il service .

Given tha t IDNs have b ee n w ide ly ava ilab le for years, why haven 't phishers utilized IDNhomo graph a ttac ks mo re often?1. Phishe rs don t needto resort to suc h a tta cks. As noted elsew here in this rep ort, the

dom a in name itself usually doe s not m atte r to a phisher.2. By defa ult, som e b row ser ma nufac turers show the punyco de version of the do ma inname (suc h a s "xn--hotma l-t9a .net") in the add ress ba r, instea d of t he native-cha rac terversion.

IDNs will rem ain an a rea of interest. On Sep tem ber 30, 2009 ICANN anno unc ed its new fast trac k p rocess for top -leve l IDNs.1 This will enab le the introd uc tion of a numb er ofinternat iona lized c ountry-code top leve l dom ain nam es (IDN cc TLDs). Onc e imp lem ented ,this will be the first time that users will be able to ob ta in a d om ain na me with the e ntirestring in cha rac ters ba sed on a na tive lang uage .

Use of Subdomains for Phishing

As we wrote about in our last repo rt, phishers a re m aking signific ant use o f subdom ainreg istration services to host p hish. Ma lic ious use of these servic es rem a ined rem arkab lystea dy in the first ha lf of 2009, and still ac c ounts for the m a jority of p hishing in som e la rgeTLDs. In the first ha lf of 2009, subdom ain services hosted 6,441 phish versus the 6,339 ph ishwe saw in the sec ond half of 2008. This is mo re than the num ber of dom ains reg istered b y

phishers at regula r doma in name registrars (4,382). This is a d isturb ing t rend , be c ause phishon subdo ma in reg istrat ion servic es c an be effec tively mitiga ted only by the subd om a inp roviders themselves2 and som e o f these services a re unresponsive to com plaints.

We define subdomain registration services as providers that give customers subdomain hosting acc ounts be nea th a dom ain name the p rovide r ow ns. These services offer users

the a b ility to d efine a name in their ow n DNS spac e for a va riety of purposes. Thus ac ustom er will obta in a hostname to use fo r his/ her own Web site a nd / or e-mail of the form:

..TLD

1http://www.icann.org/en/topics/idn/2Reg istrars or registry ope ra tors c anno t mitiga te the se p hish by suspe nding the m ain o r p arentdo ma ins doing so w ould neutralize e very subd oma in hosted on the pa rent, thereb y affec ting m anyinnocent users.


18/30


Oc tob er 2009



18

Beyond uses for these services we ve rep orted p rev iously, there is a rap idly grow ing trendto use these kinds of services to p rov ide URL shorten ing func tiona lity. The pop ularity o fthe on line service Twitter in p articu lar and other soc ial netw orking sites ha s d riven a largepart o f this dem and . Users of those services c an ob ta in a ve ry short URL to use o n the irlimited spa ce p osts which red irec ts the visitor to a muc h longe r hidd en URLautoma tica lly. This is a lso a n ide a l vec to r for ab use, as they red irec t unsuspec ting users tothe truly ma lic ious site b ased on a do ma in and service the y are quite c om fortable using,thus potentially lowe ring their gua rd.

We have ident ified mo re tha n 465 subdom ain reg istration p rov iders, which o ffer services onnea rly 2,600 dom ain na me s. This is a space a s rich a s the c urrent reg ulate d d om ainspace, w ith as ma ny or mo re b usiness mo dels and no rea l rules or ove rsight. It is notsurprising to see c riminals g ravita ting towards this spac e a s reg istries and registrars in thegTLD and c c TLD spac es implement be tter anti-abuse polic ies and p roc ed ures.

Subdom ain services rem ain a p op ular way for phishers to m ount at tac ks. In our survey wepositively identified 6,441 subd om ain sites/ ac counts used for phishing, bene ath 483 uniquesecond-level domains. This is remarkab ly similar to the sec ond ha lf of 2008, where we saw

6,339 subdomain sites/accounts used for phishing, beneath 480 unique second-leveldom a ins. Counting these unique subd om a ins as reg ular dom a in na me s, these typ es ofdom ains wo uld represent a round 18% of a ll dom ains involved in phishing.

Top 20 Subdomain Servic es Used for Phishing 1H2009

Rank Domain Total Provider

1 ns10-wistee.fr 453 wistee.fr

2 t35.com 243 t35.com

3 nm.ru 200 pochta.ru

4 blackapplehost.com 191 blackapplehost.com

5 110mb.com 176 110mb.com6 pochta.ru 161 pochta.ru

7 pop3.ru 153 pochta.ru

8 justfree.com 150 justfree.com

9 by.ru 134 by.ru

10 free.fr 127 free.fr

10 freehostia.com 127 freehostia.com

12 tripod.com 117 tripod.com

13 aplus.net 106 aplus.net

14 land.ru 102 pochta.ru

15 uol.com.br 83 uol.com.br

16 bplaced.net 81 bplaced.net

17 altervista.org 77 altervista.org

18 co.cc 63 php0h.com

19 hostrator.com 61 hostrator.com

20 50webs.com 59 50Webs.com


19/30


Oc tob er 2009



19

Provider Total Attacks

Pochta.ru 822

Wistee.fr 475

t35.com 243

Overall, the re w ere 288 d ifferent p rov iders of subdom a in reg istrations who ha d p hishingsub dom ains on the ir services in first ha lf of 2009. The Russian free ma il p rovider Pochta.ruc ontinued to lead the industry with a t least 17 doma ins that we re used to ho st p hishing in1H2009, and those d om a ins we re used to m ount a t least 822 phishing a tta c ks. The g oo dnews is that this provider continues to quickly mitigate phish when reported.

For the sec ond survey p eriod in a row, sec ond p lace b elongs to the Frenc h hosting p rovide rWistee.fr, with four doma ins tha t hosted 475 phishing a tta cks during the first ha lf of 2008.

For mo re informat ion on subd om a in resellers and the unique c halleng es they p ose forphishing and ab use m itigation, plea se see the rec ent APWG pap er "Ma king Waves in the

Phishe r Sa fest Harbo rs: Exposing the Da rk Side o f Sub doma in Registries.1

Impac t of Spec ialized Providers on Phishing Uptimes

Bec ause o f the imp ac t tha t subdomain resellers and spe c ific virtua l hosting p rovide rs canhave on an individua l TLDs score, we ha ve ta ken a deepe r look at a few TLDs tha t saw apreva lenc e of a lternative p hishing a tta ck ac tivities in this period. This includ es phishing viasubdo ma in resellers and virtua l private hosting c om panies tha t p rovide persona l Webhosting accounts tha t we re fraudulently purcha sed by phishers typica lly in grea t numbe rs.

This subc ate go ry of atta c ks do es seem to ha ve a c onsistent impac t ove r time a nd c ana ffec t a spe c ific TLDs sc ore. The imp ac t c an b e e ither positive o r neg at ive, though,

1http :// ap wg .co m/ repo rts/ APWG_Advisory_on_Subd om ain_Reg istries.pd f


20/30


Oc tob er 2009



20

depending on the responsiveness of the individual providers involved, and a singlep rovide r c an ha ve a m ajor imp ac t upo n an entire TLD. For com pa rison, we looked at.COM, as there are ma ny suc h providers in tha t dom inant TLD. The imp ac t on .COM w assignificantly nega tive, with ave rag e upt ime s nea rly 7 hours longe r with those atta cksinclud ed in .CO M s ove ra ll average . How eve r, in .FR and .RU, the p roviders we re a c tua llysignific antly faste r tha n the ir c ounterpa rts a t remo ving p hishing sites. So w hile theyc ont ribute d large numbers of p hishing sites to their respec tive TLDs, they improve d theup time sc ores for those TLDs.

Brea king out the individua l a tta ck types by TLD shows the o pposing imp ac ts the va riousp rovide rs c an have on a TLDs sc ore. Som e ho sting c om pa nies a re ve ry quic k to m itigatea tta c ks, while ot hers take ma ny da ys in som e c ases. Subdom a in resellers tend to d o abetter job , but c an still have a n impa c t in averag e up time for a TLD.

Ove ra ll, in o rder for a TLD reg istry operator to und ersta nd how its ove ra ll sc ore is a ffec tedby these spec ialized op erators, it is important fo r the reg istry to know a bout these servic eswithin their TLD. Working w ith them w hen there is a p ersisten t p rob lem c an som et imesqu ic kly imp rove the situation.

Conclusions

We saw som e evidenc e tha t the seesaw b a ttle be twe en p hishers and anti-phishing forcesha s sta b ilized . The size o f the b a ttlefield a t least as me asured by do ma in nam es andnumb er of atta cks has rem a ined nea rly c onstant. On average, the attac ks a re notlasting as long as p reviously, indica ting imp rov ing suc c ess by responders, do main reg istrarsand reg istries, ISPs, and web hosting p roviders. Phishers a re still ob ta ining ta ked ow n-resista nt resources a t subdom a in resellers and by hacking dom a ins, but the y are a lso b eing

denied resources by som e major dom ain name reg istry op erators and vigilant reg istrars.And the c ontinued go od efforts of spa m filtering providers, browser ma nufac turers, andantivirus softw a re ve ndors a re undoub ted ly aiding Inte rnet users.

We also saw that a great d ea l of phishing is conc entrated the Ava lanche g ang isresponsible for a qua rter of p hishing a tta cks, and mo st ma lic iously reg istered phishingdom ains are loc alized in only five TLDs. We c an hop e tha t foc us on the se a rea s of low-hang ing fruit will lea d to further imp roveme nts.


21/30

Global Phishing Survey: Tren



Ap pend ix: Phishing Statistics and Uptimes by TLD

OTE: The colum n # Total Ma licious Dom ains Reg istered 1H2009 includ es the num be r of Ava lanc he do ma ins regis

TLD TLD Location


UniqueDomainNamesused forphishing1H2009

Domains inregistry atend March

2009

Score:Phish per

10,000domains1H2009

Score:Attacks per

10,000domains1H2009

AverageUptime1H2009

hh:mm:ssR

ac Ascension Island 0 0 0:00:00

ae United Arab Emirates 4 3 87,000 0.3 0.5 6:00:32

aero sponsored TLD 0 0 6,456 0.0 0:00:00

af Afghanistan 0 0 0:00:00

ag Antigua and Barbuda 1 1 15,928 0.6 0.6 17:37:02

ai Anguilla 0 0 0:00:00

al Albania 1 1 10:34:22

am Armenia 11 7 10,834 6.5 10.2 26:34:51

an Netherlands Antilles 1 1 4:18:59

ar Argentina 207 159 1,837,779 0.9 1.1 41:26:32

as American Samoa 5 4 8:51:43

asia sponsored TLD 2 2 248,407 0.1 0.1 16:03:59

at Austria 129 96 830,610 1.2 1.6 32:42:23

au Australia 384 309 1,345,462 2.3 2.9 43:21:44

az Azerbaijan 3 3 8,511 3.5 3.5 130:29:31

baBosnia &Herzegovina 18 11 9,167 12.0 19.6 136:49:56

bd Bangladesh 2 2 2,670 7.5 7.5 10:23:19

be Belgium 1,813 484 892,267 5.4 20.3 16:51:27

bf Burkina Faso 0 0 0:00:00

bg Bulgaria 9 7 15,700 4.5 5.7 83:00:24

bh Bahrain 0 0 0:00:00

biz generic TLD 395 225 2,075,159 1.1 1.9 29:17:02


22/30




TLD TLD Location

# UniquePhishing

attacks1H2009

UniqueDomainNamesused for

phishing1H2009

Domains inregistry at

end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

bm Bermuda 1 1 5,250 1.9 1.9 3:02:48

bn Brunei Darussalam 4 2 23:31:48

bo Bolivia 7 5 4,700 10.6 14.9 52:44:08

br Brazil 654 381 1,675,918 2.3 3.9 41:30:24

bs Bahamas 38 1 2,228 4.5 170.6 215:54:07

bt Bhutan 0 0 0:00:00

bw Botswana 1 1 72:28:08

by Belarus 19 16 71:23:03

bz Belize 81 29 43,113 6.7 18.8 20:39:06

ca Canada 291 226 1,198,350 1.9 2.4 42:21:03

cat sponsored TLD 6 5 35,591 1.4 1.7 22:34:43

ccCocos (Keeling)Islands 130 39

registrydeclined toprovide 70:12:17

cdCongo, DemocraticRepub. 0 0 0:00:00

ch Switzerland 243 139 1,278,125 1.1 1.9 35:37:02

ci Cte d'Ivoire 10 3 1,195 25.1 83.7 47:06:06

cl Chile 144 97 243,701 4.0 5.9 47:39:54

cm Cameroon 1 1 625 16.0 16.0 3:13:44

cn China 159 115 13,843,548 0.1 0.1 67:15:34

co Colombia 31 22 25,750 8.5 12.0 40:06:28

com generic TLD 25,994 15,170 82,229,830 1.8 3.2 44:09:56coop sponsored TLD 1 1 5,843 1.7 1.7 11:22:38

cr Costa Rica 1 1 11,739 0.9 0.9 17:55:53

cu Cuba 2 1 1,500 6.7 13.3 11:18:16

cx Christmas Island 27 3 4,800 6.3 56.3 53:10:35

cy Cyprus 9 6 6,500 9.2 13.8 42:53:05


23/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

cz Czech Republic 195 99 550,328 1.8 3.5 31:25:40

de Germany 886 667 12,760,000 0.5 0.7 40:30:42

dj Djibouti 0 0 0:00:00

dk Denmark 182 106 996,329 1.1 1.8 49:22:52

dm Dominica 2 1 14,500 0.7 1.4 12:32:09

do Dominican Republic 14 7 10,100 6.9 13.9 81:33:47

dz Algeria 1 1 53:19:05

ec Ecuador 12 10 17,900 5.6 6.7 36:40:05

edu U.S. higher education 26 21

Registrydeclined toprovide 49:04:33

ee Estonia 11 9 65,500 1.4 1.7 68:59:49

eg Egypt 2 2 4,000 5.0 5.0 107:41:23

er Eritrea 1 1 120 83.3 83.3 74:57:08

es Spain 254 164 1,130,650 1.5 2.2 42:43:41

et Ethiopia 1 1 519:12:24

eu European Union 3,869 864 3,043,070 2.8 12.7 23:31:13

fi Finland 31 26 211,510 1.2 1.5 90:38:23

fj Fiji 3 2 29:44:27

fk Falkland Islands 0 0 0:00:00

fmMicronesia, Fed.States 9 7 19:00:59

fo Faroe Islands 3 1 56:50:57fr France 1,214 340 1,367,333 2.5 8.9 27:52:10

gd Grenada 9 3 2,100 14.3 42.9 14:23:59

ge Georgia 11 8 13,050 6.1 8.4 122:36:17

gg Guernsey 4 1 159:48:30

gh Ghana 2 2 50:18:26


24/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

gi Gibraltar 0 0 1,695 0.0 0:00:00

gl Greenland 1 1 1:24:02

gov U.S. government 3 3


gp Guadeloupe 0 0 1,100 0.0 0:00:00

gr Greece 116 75 240,000 3.1 4.8 30:02:21

gsSouth Georgia &Sandwich Is. 3 2 8,200 2.4 3.7 91:50:26

gt Guatemala 8 3 6,809 4.4 11.7 159:08:02

hk Hong Kong 28 23 176,446 1.3 1.6 55:25:57

hmHeard and McDonaldIs. 6 3 14:14:29

hn Honduras 0 0 3,972 0.0 0:00:00

hr Croatia 11 9 66,754 1.3 1.6 28:57:19

ht Haiti 0 0 1,110 0.0 0:00:00

hu Hungary 127 91 430,000 2.1 3.0 59:56:04

id Indonesia 96 61 44:46:17

ie Ireland 59 48 122,374 3.9 4.8 41:48:03

il Israel 82 48 145,151 3.3 5.6 45:43:46

im Isle of Man 6 3 14,500 2.1 4.1 8:46:09

in India 107 83 485,210 1.7 2.2 43:33:29

info generic TLD 600 493 5,390,206 0.9 1.1 25:10:24

ioBritish Indian OceanTerr. 0 0 0:00:00

ir Iran 47 34 112,491 3.0 4.2 67:43:49

is Iceland 9 7 24,041 2.9 3.7 22:41:30

it Italy 373 215 1,685,845 1.3 2.2 43:33:02


25/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

je Jersey 0 0

jm Jamaica 1 1 4,600 2.2 2.2 10:

jo Jordan 5 4 2,715 14.7 18.4 11

jobs sponsored TLD 0 0 15,597 0.0 0:0

jp Japan 173 125 1,082,514 1.2 1.6 54:2

ke Kenya 3 3 10,696 2.8 2.8 29:21:09

kg Kyrgyzstan 0 0 3,230 0.0 0:00:00

kh Cambodia 0 0 829 0.0 0:00:00

ki Kiribati 0 0 4,350 0.0 0:00:00

kr Korea 751 399 999,262 4.0 7.5 54:36:18

kw Kuwait 0 0 0:00:00

ky Cayman Islands 0 0 5,800 0.0 0:00:00

kz Kazakhstan 21 15 35,298 4.2 5.9 58:18:50

laLao People's Demo.Rep. 16 7 22:54:11

lb Lebanon 0 0 2,850 0.0 0:00:00

lc St. Lucia 1 1 1,972 5.1 5.1 6:09:43

li Liechtenstein 93 18 59,244 3.0 15.7 14:41:04

lk Sri Lanka 9 7 5,921 11.8 15.2 22:41:57

lt Lithuania 16 15 101,711 1.5 1.6 73:17:14

lu Luxembourg 5 5 43,853 1.1 1.1 11:31:44

lv Latvia 19 13 50,000 2.6 3.8 45:31:05ly Libya 3 2 5,851 3.4 5.1 7:31:05

ma Morocco 37 13 29,581 4.4 12.5 43:50:14

md Moldova 7 6 67:36:09

me Montenegro 84 30 211,899 1.4 4.0 33:07:00

mg Madagascar 1 1 2:44:39


26/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

mk Macedonia 5 4 7:21:06

ml Mali 2 1 100:55:18

mn Mongolia 9 9 7,333 12.3 12.3 76:58:21

mo Macao 0 0 2,599 0.0 0:00:00

mobi sponsored TLD 206 87 847,332 1.0 2.4 10:43:31

mr Mauritania 0 0 0:00:00

ms Montserrat 5 3 11,650 2.6 4.3 13:58:17

mt Malta 2 2 11,750 1.7 1.7 32:41:11

mu Mauritius 0 0 8,700 0.0 0:00:00

museum sponsored TLD 0 0 545 0.0 0:00:00

mx Mexico 213 93 290,101 3.2 7.3 36:00:52

my Malaysia 40 31 80,949 3.8 4.9 59:10:40

mz Mozambique 0 0 1,800 0.0 0:00:00

name generic TLD 134 53 278,516 1.9 4.8 14:26:27

net generic TLD 5,423 2,570 12,525,459 2.1 4.3 29:45:58

nf Norfolk Island 11 3 5,000 6.0 22.0 2:34:10

ng Nigeria 6 4 1,350 29.6 44.4 19:29:03

ni Nicaragua 0 0 23,000 0.0 0:00:00

nl Netherlands 610 509 3,323,308 1.5 1.8 46:39:41

no Norway 52 43 428,123 1.0 1.2 54:22:04

np Nepal 4 2 11,900 1.7 3.4 12:41:47

nr Nauru 4 2 425 47.1 94.1 90:43:43

nu Niue 117 32 36:05:15

nz New Zealand 53 45 353,430 1.3 1.5 30:00:07

org generic TLD 2,554 1,691 7,549,754 2.2 3.4 27:54:07

pa Panama 5 3 4,800 6.3 10.4 37:53:18

pe Peru 86 64 32,000 20.0 26.9 33:56:47


27/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

ph Philippines 27 18


pk Pakistan 75 16 28,200 5.7 30:17:13

pl Poland 573 359 1,416,565 2.5 4.0 43:26:33

pn Pitcairn 5 4 152:21:27

pro sponsored TLD 1 1 35,694 0.3 0.3 5:46:22

ps Palestinian Territory 3 2 4,315 4.6 7.0 2:03:35

pt Portugal 61 46 296,871 1.5 2.1 61:28:35

py Paraguay 3 2 8,834 2.3 3.4 39:45:27

qa Qatar 1 1 16:38:12

ro Romania 278 163 310,900 5.2 8.9 68:01:07

rs Serbia 20 13 45,000 2.9 4.4 26:39:43

ru Russian Fed. 1,982 710 2,016,396 3.5 9.8 39:46:07

sa Saudi Arabia 11 9 15,946 5.6 6.9 122:22:13

sc Seychelles 1 1 6,543 1.5 1.5 20:43:35

se Sweden 94 72 853,802 0.8 1.1 61:07:32

sg Singapore 24 18 109,823 1.6 2.2 30:47:30

sh Saint Helena 0 0 0:00:00

si Slovenia 23 19 67,207 2.8 3.4 56:31:34

sk Slovakia 132 46 184,943 2.5 7.1 49:04:53

sl Sierra Leone 0 0 1,200 0.0 0:00:00

sm San Marino 0 0 1,905 0.0 0:00:00st Sao Tome & Principe 9 3 5,660 5.3 15.9 49:09:03

su Soviet Union 125 30 83,739 3.6 14.9 37:26:53

sv El Salvador 2 2 4,292 4.7 4.7 57:05:31

sy Syria 2 2 22:08:33

tc Turks and Caicos 35 10 9,700 10.3 36.1 111:36:58


28/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

tel generic TLD 0 0 129,562 0.0 0:00:00

tfFrench SouthernTerritories 4 3 1,557 19.3 25.7 74:32:27

th Thailand 128 68 42,594 16.0 30.1 64:08:22

tj Tajikistan 5 2 4,681 4.3 10.7 72:32:02

tk Tokelau 166 135 1,780,000 0.8 0.9 40:36:12

tl Timor-Leste 5 2 36:37:39

tm Turkmenistan 1 1 0:44:13

tn Tunisia 1 1 50 200.0 200.0 3:05:43

to Tonga 11 11 13,250 8.3 8.3 47:26:02tp Portuguese Timor 1 1 40:00:06

tr Turkey 52 35 191,193 1.8 2.7 59:58:35

travel sponsored TLD 0 0 133,051 0.0 0:00:00

tt Trinidad & Tobago 5 4 2,202 18.2 22.7 106:26:11

tv Tuvalu 42 35


tw Taiwan 290 194 425,551 4.6 6.8 47:52:21

tz Tanzania 4 3 21:58:28

ua Ukraine 146 104 403,456 2.6 3.6 45:19:40

ug Uganda 11 6 3,100 19.4 35.5 30:15:35

uk United Kingdom 823 605 7,665,754 0.8 1.1 45:23:09us United States 200 153 1,392,657 1.1 1.4 37:14:16

uy Uruguay 15 13 18,622 7.0 8.1 17:21:42

uz Uzbekistan 3 3 8,284 3.6 3.6 5:07:00


29/30




TLD TLD Location

# UniquePhishing

attacks1H2009


phishing1H2009


end March2009

Score:Phish per

10,000

domains1H2009

Score:Attacks per

10,000

domains1H2009

AverageUptime

1H2009hh:mm:ss R

vcSt. Vincent &Grenadines 1 1 6,259 1.6 1.6 12:56:35

ve Venezuela 24 15 130,000 1.2 1.8 111:19:13

vg British Virgin Islands 7 4 8,900 4.5 7.9 10:21:43

vi Virgin Islands 0 0 457 0.0 0:00:00

vn Vietnam 52 36 100,979 3.6 5.1 48:53:00

vu Vanuatu 0 0 0:00:00

ws Samoa 57 34 540,000 0.6 1.1 52:24:00

yuYugoslavia (beingdeprecated) 6 4 4,500 8.9 128:55:28

za South Africa 91 64 476,607 1.3 1.9 36:42:16

zm Zambia 1 1 75:42:51

zw Zimbabwe 10 5 8,328 6.0 12.0 43:56:16

TOTALS 55,698 30,131 184,583,376


30/30

About the Authors & Acknowledgm ents

Greg Aaron is Direc tor of Key Ac c ount Ma nag em ent a nd Doma in Sec urity atAfilias (www.afilias.info). Afilias op erates the .INFO top -level d om ain (TLD) andprovide s tec hnica l and advising services for thirteen o the r TLDs, inc luding .ORG,

.MOBI, .ASIA, .ME, and .IN (Ind ia). Greg ove rsee s .INFO o perat ions and Afilias'sec urity programs, including d om ain name a buse polic y and p rac tices. He is a lsoan expe rt on d om a in name intellec tua l p rop erty issues and Internat iona lizedDom ain Nam es (IDNs). He is the Cha ir of ICANN s Reg istration Ab use Wo rking

group (RAPWG), serves on the steering c om mittee of the Anti-Phishing WorkingGroup (APWG), served on ICANNs Fast-Flux Working Group , and ha s advised the

Governme nt of India rega rd ing d om ain and related Internet p olic ies. Hepreviously wo rked a t Internet c om panies suc h as Traveloc ity, and g radua tedma gna c um laud e from the University of Pennsylva nia .

Rod Rasmussen is President a nd CTO o f Inte rnet Identity(www.internetidentity.com), and has served as its tec hnica l lea der sinc e he co-founde d the c om pa ny in 2001. He is widely rec og nized as a lea ding expert on theabuse of the dom ain na me system b y phishing c rimina ls. Rasmussen is c o-c ha ir of

the Anti-Phishing Working Group s (APWG) Inte rnet Policy C om mittee (IPC), andserves as the APWG s Industry Liaison to va rious group s a round the world , inc ludingICANN, the interna tional oversight body for dom a in nam es. He served o n

ICANNs Fast-Flux Working Group . He is a lso a mem ber of the Steering Co mmitteefor the Authentica tion a nd Online Trust Allianc e (AOTA), and a n ac tive m em ber of

the Digital PhishNet, a c ollaboration b etw een industry and law e nforce me nt. Priorto sta rting Internet Identity, Rasmussen held p rod uc t managem ent roles forLanQuest, a ne two rk eq uipment testing c om pa ny, and ne two rking p rod uc t

ma nufac turer Glob a l Village. Rasmussen e arned an MBA from the Haas Sc hoo l of

Business a t the University of Ca lifornia, Berkeley and ho lds two b ac helors deg ree s,in Ec ono mics and Co mp uter Sc ienc e, from the University o f Roc hester.

The authors wish to tha nk the follow ing fo r their sup port: Peter Ca ssidy, Foy Shiver, and

Laura Ma ther of the APWG; Ram Mohan and Bruc e Reeser of Afilias. A very spec ial thank-

you t o Aaron Rout t o f Internet Ident ity for his tireless wo rk in ensuring the ac c urac y of t he

da ta in the repo rt, and fo r prep aring the ma ny cha rts and grap hs. The a uthors also tha nk

the m embers of the sec urity industry, the do ma in na me industry, and the law enforce ment

c ommunity who ha ve c ontribute d to a nti-phishing p rog ram s and resea rch.

#
http://www.afilias.info/http://www.internetidentity.com/http://www.internetidentity.com/http://www.afilias.info/

global phishing survey: trends and domain name

Documents